Wi-Fi deauthentication attack
A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.
Technical details
The IEEE 802.11 (Wi-Fi) protocol contains the provision for a deauthentication frame. Sending the frame from the access point to a station is called a "sanctioned technique to inform a rogue station that they have been disconnected from the network".[1]
An attacker can send a wireless access point a deauthentication frame at any time, with a spoofed address for the victim. The protocol does not require any encryption for this frame, even when the session was established with Wired Equivalent Privacy (WEP) for data privacy, and the attacker only needs to know the victim's MAC address, which is available in the clear through wireless network sniffing.[2][3][4]
Attacks on hotel guests and convention attendees
The Federal Communications Commission has fined hotels and other companies for launching deauthentication attacks on their own guests; the purpose being to drive them off of their personal hotspots and force them to pay for on-site Wi-Fi services.[5][6][7][8][9]
Use in password attacks
In order to mount a brute-force or dictionary based WPA password cracking attack on a WiFi user with WPA or WPA2 enabled, a hacker must first sniff the WPA 4-way handshake. The user can be elicited to provide this sequence by first forcing them offline with the deauthentication attack.[10]
In a similar phishing style attack without password cracking, Wifiphisher starts with a deauthentication attack to disconnect the user from his legitimate base station, then mounts a man-in-the-middle attack to collect passwords supplied by an unwitting user.
Toolsets
Aircrack-ng suite, MDK3, Void11, Scapy(Not Scrapy), and Zulu software can mount a WiFi deauthentication attack.[10] A one-line aircrack-ng command has been published which can do so.[4] The off-the-shelf WiFi Pineapple rogue access point hardware can issue a deauth attack.[11][12] An open-source project called wifijammer can also automatically scan for and jam all networks within range of an operator.[13]
See also
- Radio jamming
- IEEE 802.11w – offers increased security of its management frames including authentication/deauthentication
References
- ^ Joshua Wright (2005), Weaknesses in Wireless LAN Session Containment (PDF)
- ^ Mateti, Prabhaker (2005), Hacking Techniques in Wireless Networks: Forged Deauthentication, Department of Computer Science and Engineering, Wright State University
- ^ Bellardo, John; Savage, Stefan (2003-05-16), "802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions", Proceedings of the USENIX Security Symposium, Aug 2003 – via Cal Poly (Deauthentication Attack chapter link)
- ^ a b Mohit Raj (April 1, 2015), "Beware: It's Easy to Launch a Wireless Deauthentication Attack!", Open Source For U
- ^ Katia Hetter (October 4, 2014), Marriott fined $600,000 by FCC for blocking guests' Wi-Fi, CNN
- ^ Nicholas Deleon (August 18, 2015), "FCC Fines Hotel Wi-Fi Provider for Blocking Personal Hotspots", Vice
- ^
Order and consent decree — In the Matter of SMART CITY HOLDINGS, LLC (PDF), Federal Communications Commission, August 18, 2015, DA 15-917,
The complaint charged that its customers could not connect to the Internet using the complainant's equipment at several venues where Smart City operates or manages the Wi-Fi access. Specifically, the complainant alleged that Smart City transmitted deauthentication frames to prevent the complainant's customers' use of their Wi-Fi equipment. ... Smart City's responses [to FCC Letters of Inquiry] revealed that, at several venues where it managed or operated Wi-Fi systems, it automatically transmitted deauthentication frames to prevent Wi-Fi users whose devices produced a received signal strength above a preset power level at Smart City access points from establishing or maintaining a Wi-Fi network independent of Smart City's network.
- ^ Mike Masnick (October 3, 2014), "FCC Fines Marriott For Jamming Customers' WiFi Hotspots To Push Them Onto Hotel's $1,000 Per Device WiFi", Tech Dirt
- ^ Thomas Claburn (October 4, 2014), "Marriott Pays $600,000 For Jamming WiFi Hotspots", Information Week
- ^ a b Wireless Security Series Part I: Deauthentication Attacks by AirMagnet Intrusion Detection Research Team, Fluke Networks
- ^ Declan McCullagh (March 10, 2012), Five ways to protect yourself from Wi-Fi honeypots, CNet
- ^ Darren Kitchen (January 14, 2015), "WiFi Deauth Attacks, Downloading YouTube, Quadcopters and Capacitors", Hak5, episode 1722
- ^ https://github.com/DanMcInerney/wifijammer
Further reading
- Nguyen, Thuc D.; Nguyen, Duc H. M.; Tran, Bao N.; Vu, Hai; Mittal, Neeraj (August 2008), "A Lightweight Solution for Defending against Deauthentication/Disassociation Attacks on 802.11 Networks", Proceedings of the 17th IEEE International Conference on Computer Communications and Networks (ICCCN), St. Thomas, Virgin Islands, USA, pp. 185–190, doi:10.1109/ICCCN.2008.ECP.51, ISBN 978-1-4244-2389-7(subscription required)
- author's link (no paywall)
- GPS, Wi-Fi, and Cell Phone Jammers — FCC FAQ